AIDE has a compile time option WITH_MMAP which allows AIDE to map files during scanning. RHEL7 has set this option in the aide rpm they distribute. Changes made to add a tunable to enable permissions allowing aide to map files that it needs. I have set the default to false as this seems perfered (in my mind). Signed-off-by: Dave Sugar <dsugar@xxxxxxxxxx> --- policy/modules/admin/aide.te | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/policy/modules/admin/aide.te b/policy/modules/admin/aide.te index f58ba850..fe52a280 100644 --- a/policy/modules/admin/aide.te +++ b/policy/modules/admin/aide.te @@ -5,6 +5,15 @@ policy_module(aide, 1.8.0) # Declarations # +## <desc> +## <p> +## Control if AIDE can mmap files. +## AIDE can be compiled with the option 'with-mmap' in which case it will +## attempt to mmap files while running. +## </p> +## </desc> +gen_tunable(aide_mmap_files, false) + attribute_role aide_roles; type aide_t; @@ -43,6 +52,10 @@ logging_send_syslog_msg(aide_t) userdom_use_user_terminals(aide_t) +tunable_policy(`aide_mmap_files',` + files_map_non_auth_files(aide_t) +') + optional_policy(` seutil_use_newrole_fds(aide_t) ') -- 2.20.1
